VIRUS-L Digest Wednesday, 6 Jun 1990 Volume 3 : Issue 108

VIRUS-L Digest Wednesday, 6 Jun 1990 Volume 3 : Issue 108

Today's Topics:

Analysis of the KEYBGR / FACE problem (PC)
Re: intentional viruses and happy face (general and Mac)
Re: Mac Happy Face turns into a Devil... (Mac)
Stoned (PC)
Re: Removing Stoned from harddisks (PC)
Re: How to reset CMOS configuration that prevents booting? (PC)
Re: Mac Happy Face turns into a Devil... (Mac)
Search strings for IBM VIRSCAN program (PC)
How many Universities have a site-license for McAfee's programs (PC)
Possible virus (PC)
The Devil Made Me Do It
WARNING: Potential Trojan Horse 'STEROID' (Mac)
Gutowski Comments on Unix v. MVS et. al.
F*** Clone of nVir B (Mac)
Info wanted - European Computing Services Assoc.

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Tue, 05 Jun 90 16:14:39 -0500
From: Christoph Fischer <[email protected]>
Subject: Analysis of the KEYBGR / FACE problem (PC)

Hi
over the weekend I analysed the KEYBGR.COM it is a hacked version of the
original KEYBGR.COM MSDOS V2.1. I asked Mr Joest to keep an eye on the
replacements (original) maybe they change again, this could possibly be a hint
that they have a trojan horse producing a trojan horse. (This is theory sofar
and they ran tests that turned out negative, so lets hope it stays that way)
Again as a result: it is *not* a virus! It is a trojan horse with transient
damage.

Christoph Fischer

*****************************************************************
* Christoph Fischer *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-37 64 22 *
* E-Mail: RY15 at DKAUNI11.BITNET *
*****************************************************************

------------------------------

Date: Tue, 05 Jun 90 11:43:33 -0400
From: Joe McMahon <[email protected]>
Subject: Re: intentional viruses and happy face (general and Mac)

>I have had just the strangest thought about all of the commercial
>products out there on the market that protect from viruses, for
>example Symantec's Anti-Virus for the Macintosh -- a product that
>"learns"...

Two points: Deterction is the best solution to viruses. Find them and
replace the programs if you want to be sure you're safe. Second, I
know where SAM's author lives :-). Seriously, you've got to trust
someone. Especially that if someone got caught doing that, I'm sure
that there are plenty of existing laws they could be convicted under
(extortion?).

>Subject: Mac Happy Face turns into a Devil... (Mac)
>
>I just experimented with a public Mac which wasn't
>working too well. When I watched it boot up, the usual
>smiling Macintosh icon turned into a devil with horns,
>fangs and a long tail. I checked it with Disinfectant 1.8
>and found nothing.

Does the "Welcome to Macintosh" window appear afterward? If not,
someone's probably put a startup screen in the System Folder. I just
tried this - I got my Mac to stick out its tongue at me :-).

--- Joe M.

------------------------------

Date: 05 Jun 90 16:19:10 +0000
From: [email protected] (Kees Huyser)
Subject: Re: Mac Happy Face turns into a Devil... (Mac)

[email protected] (Pete) writes:
#I just experimented with a public Mac which wasn't
#working too well. When I watched it boot up, the usual
#smiling Macintosh icon turned into a devil with horns,
#fangs and a long tail. I checked it with Disinfectant 1.8
#and found nothing.
#
#My questions are:
#
#1) Is this a virus or is it some legitimate program I've
#never experienced before?
#
#Peter Wayner Department of Computer Science Cornell Univ. Ithaca, NY 14850
#EMail:[email protected] Office: 607-255-9202 or 255-1008
#Home: 116 Oak Ave, Ithaca, NY 14850 Phone: 607-277-6678

Take a look in the System Folder on this Mac. If you find a file called
StartUpScreen, take a look at it with MacPaint. This will probably show you
the devil in all its glory...

If you don't find StartUpScreen, *or* if it doesn't contain a devil you might
be in trouble.....

- --kees
/* -------------------------------------------------------------------- */
/* [email protected] or {..!uunet.uu.net}!mcsun!hp4nl!nikhefk!keeshu */
/* The National Institute for Nuclear Physics and High-Energy Physics */
/* P.O.Box 4395, 1009 AJ Amsterdam, The Netherlands, phone:+31205920124 */
/* -------------------------------------------------------------------- */

------------------------------

Date: Tue, 05 Jun 90 10:44:06 -0400
From: padgett%[email protected] (A. Padgett Peterson)
Subject: Stoned (PC)

>During the last two months there were several asks how to remove
>the STONED-virus from harddisks. The solution is quite easy :

In previous issues, I have seen a number of postings on the STONED
virus reguarding disinfecting disks. One thing that is often missed is
that three separate methods seem necessary:

a) floppy disks
b) un-partitioned hard disks
c) partitioned hard disks

It is not well documented but on boot up with a partitioned disk there
is executable code in the partition table that tells DOS where to find
the boot record for the first partition and that the STONED is
reported to be able to infect this (I have a copy but have not had the
time to check it out). DEBUG cannot read/modify the partition table so
some of the methods presented thusfar will not necessarily work on
such a disk.

I suspect that the STONED simply replaces the first physical sector (DEBUG
uses logical sectors) and does not care whether it contains the boot sector
or the partition table and stores the original sector in physical sector 7.

Padgett Peterson

------------------------------

Date: Tue, 05 Jun 90 19:35:11 -0500
From: "Zoltan DAROCZI (8350893)" <[email protected]>
Subject: Re: Removing Stoned from harddisks (PC)

Martin Zejma ( 8326442-awiwuw11.bitnet) writes:
>4) write this sector over the infected boot sector of the harddisk.
> ( that's Head 0 , Track 0 , Sector 0 , just to make it failsafe).

the sectornumbers on harddisks are starting at 1, not at 0 ||
so the right position is Head 0 , Track 0 , Sector 0.
at 3) the sectornumber is correct.

------------------------------

Date: 05 Jun 90 17:49:46 +0000
From: [email protected] (Bruce Benson)
Subject: Re: How to reset CMOS configuration that prevents booting? (PC)

[email protected] writes:
>> manner that the machine will no longer boot; when I reset it, it goes
>> beep-beep-beep pause beep-beep-beep...
>
> The three beeps seem to indicate a memory error. You may have
> done some unintentional mods to your memory configuration on the
> motherboard. Any PC will not boot if it either finds an error in
> the first 16KB of RAM or cannot locate it as this is usually where
> it tries to load the startup BIOS.

Just within the last 5 days my Zeos 386 w/AMI Bios has started this same
pattern of three beeps. The AMI documentation says this means an error
in the first 64K. A few other facts:

- seems to happen when I first boot the machine after being off many hours
- repeated cold boots eventually resulted in a successful boot
- replacing all simms (4mb) had no affect on the problem (but I do
now have a total of 8Mb of memory, good excuse to buy!)
- using the hardware reset switch clears the problem immediately
- the only system changes in this period was to add an internal MNP modem

I am still playing with the problem, but anyone with more insight into the
meaning of the 3 beeps, or why the reset switch would work differently than
power on/off, please offer up your insights.

* Bruce Benson + Internet - [email protected] + +
* Software Engineering Institute + Compuserv - 76226,3407 + >--|>
* Carnegie Mellon University + Voice - 412 268 8496 + +
* Pittsburgh PA 15213-3890 + + US Air Force

------------------------------

Date: 05 Jun 90 17:54:38 +0000
From: [email protected] (Richard Clark)
Subject: Re: Mac Happy Face turns into a Devil... (Mac)

The "Fanged Happy Face" is a deliberate side effect of installing the Levco
"Monster Mac" RAM upgrade (and an accelerator, I think.)

- -----------------------------+-----------------------------------------------
Richard Clark | "If you don't know where you're going,
Instructor/Designer | don't go there" -- Sybalski's Law
Apple Developer University +-----------------------------------------------
AppleLink, GEnie, Delphi, MCI, Internet: rdclark CI$: 71401, 2071

------------------------------

Date: Tue, 05 Jun 90 14:35:48 -0400
From: Ken Rosenberry <[email protected]>
Subject: Search strings for IBM VIRSCAN program (PC)

The VIRSCAN.EXE program from IBM uses two signature files as input when
performing a virus scan. These files are:

SIGFILE.LST - a list of signature entries for EXE and COM files
SIGBOOT.LST - a list of signature entries for boot sectors

We have versions of these files dated Sept 11, 1989. Are there any
persons who maintain updated versions of these files as new viruses are
discovered? If so, could you please either E-mail me the new files or
post info on where they could be obtained.

Thank you

Ken Rosenberry BITNET: hkr@psuvm
Senior Systems Programmer Internet: [email protected]
Pennsylvania State University APPLELINK: u0485

------------------------------

Date: Tue, 05 Jun 90 14:55:39 -0400
From: Ken Rosenberry <[email protected]>
Subject: How many Universities have a site-license for McAfee's programs (PC)

Various organizations within our University are attempting to
negotiate a site license for John McAfee's virus scan and clean
programs. We are finding that the cost for the programs is VERY high
($18,000 per year). That is a significant portion of our computing
center's software budget for new acquisitions.

I'd like to know what other institutions are paying for the rights to
use this software. Please E-mail your responses directly to me; I
will keep the information confidential.

Thank you.

Ken Rosenberry BITNET: hkr@psuvm
Senior Systems Programmer Internet: [email protected]
Pennsylvania State University APPLELINK: u0485

------------------------------

Date: Tue, 05 Jun 90 16:24:00 -0500
From: SEAN KRULEWITCH <[email protected]>
Subject: Possible virus (PC)

To Who it may concern:

I am fairly new to the whole idea of viruses and the like. I recently
purchased an IBM clone (AMI motherboard 386-20) and have experienced a
few unusual things. Files seem to be vanishing off the disk, and
other programs are acting weird. For example when I run Windows386 I
get a KERNSTUB error during boot, and I am sent back to the dos
prompt. When I try again, I get an incorrect Dos version error. If I
then proceed to type ver it says Dos 3.41. However I am running Dos
4.01. If i type ver a few more times it continues to say dos 3.41.
After the third or fourth time it goes back to saying Dos 4.01. Also
Procomm locks up when I try to enter the setup mode (ALT-S) and I am
forced to turn the machine off (Warm boot doesn't work). After a
while the whole system seems to slow down considerably. One symptom
that seems to be common is a small section of the lower left hand side
of the screen seems to shift up, leaving a small "hole". This happens
in various programs and at the dos prompt. I thought it may be a
problem with my video card, but the card checks out ok. Certain
programs that worked before no longer work. If anyone knows what this
may be, please contact me. I can be reached at the following
addresses:

[email protected] or
[email protected]

Sincerely,
Sean V. Krulewitch

------------------------------

Date: Tue, 05 Jun 90 17:50:42 -0400
From: [email protected] (Pete)
Subject: The Devil Made Me Do It

Thanks to the help of several people on the net, I've discovered that
it is quite easy to make the Happy Mac Screen turn into anything you
please. Just include a startupscreen file in the system folder. This
is exactly what a clever person did. SuperPaint lets you create these
automatically.

I would think it was rather clever if I hadn't spent the day wringing
my hands. The worst casualty of the virus epidemic may not be lost
data, but our senses of humor.

- --
Peter Wayner Department of Computer Science Cornell Univ. Ithaca, NY 14850
EMail:[email protected] Office: 607-255-9202 or 255-1008
Home: 116 Oak Ave, Ithaca, NY 14850 Phone: 607-277-6678

------------------------------

Date: 05 Jun 90 21:55:00 +0000
From: [email protected] (That's MR. Idiot to you)
Subject: WARNING: Potential Trojan Horse 'STEROID' (Mac)

I have just been warned by some people here at Apple that a new Trojan
Horse has been discovered. The INIT 'STEROID', which supposedly speeds
up QuickDraw on a 9" monitor, has a time bomb in it that will cause it
to erase any mounted volumes when it is booted after June 6, 1990
(that's Wednesday). The program has been disassembled here at Apple
and the actions have been confirmed.

IF YOU HAVE STEROID ON YOUR SYSTEM, DISABLE IT IMMEDIATELY.

The details: Type INIT, Creator qdac, Code size 1080, data size 267,
File Name " Steroid", name "Quickdraw Accelerator"

More data when I have it.

chuq

Chuq Von Rospach <+> [email protected] <+> [This is myself speaking]

It isn't easy being green. -- Kermit

------------------------------

Date: Wed, 06 Jun 90 07:45:00 -0400
From: [email protected]
Subject: Gutowski Comments on Unix v. MVS et. al.

>Again, it is just a matter of choice. Unix was intended to be a programmer's
>system; as such it does a great job. With all systems, there is a tradeoff
>between functionality and security, the trick is to find the right
>balance.

True. But it also makes the point of what happens when systems
outgrow, or simply outlast, their intended application and
environment. The Unix problem is complicated by the fact that it
carries with it styles of use and management that were appropriate for
stand-alone support of small homogenous user populations, but which
are disastrous when employed in networked systems with large
heterogenuous populations. (I will spare you a re-cap of "The
Cuckoo's Egg.")

William Hugh Murray, Executive Consultant, Information System Security
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL

------------------------------

Date: Wed, 06 Jun 90 08:04:00 -0400
From: "Gregory E. Gilbert" <[email protected]>
Subject: F*** Clone of nVir B (Mac)

Can someone tell me about what date the "Fuck" clone appeared? Thanks.

Greg.
Postal address: Gregory E. Gilbert
Computer Services Division
University of South Carolina
Columbia, South Carolina USA 29208
(803) 777-6015

------------------------------

Date: Wed, 06 Jun 90 15:33:22 +0500
From: AHMET KOLTUKSUZ <[email protected]>
Subject: Info wanted - European Computing Services Assoc.

Hello Folks;

Does anyone know anything about the EUROPEAN COMPUTING SERVICES
ASSOCIATION .. like its address or anyone there whom I could
possibly get in contact with ? or anything..
All helps will be appreciated deeply.. Thank you
I hear that those folks are interested in computer laws
against computer abuse or something...

Please acknowledge to: <[email protected]>

------------------------------

End of VIRUS-L Digest [Volume 3 Issue 108]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253